Azure ARM (22) Getting started with Azure Policy

　　We know that in the Azure service tier, there are several levels:

　　1. Enterprise Contract

　　2. Subscription

　　3. Resource Group

　　4. Resources

　　The Azure resources we use are actually deployed in Azure resource groups.

　　But sometimes, we need to set rules or policies for Azure resource groups to meet the company's security and compliance requirements for resources on the cloud platform.

　　for example:　

　　1. When we create Azure resources, we need to add TAG (tag) to the resource group.

　　2. When we create an Azure virtual machine, users are required to set up the virtual machine backup function at the same time, otherwise users are not allowed to create virtual machines.

　　3. When we create an Azure virtual machine, we can only choose certain models (such as 4Core, 8Core). Other types of virtual machines, such as GPU virtual machines, are not allowed to be created by users.

　　In this scenario, we can set Azure Policy policies to meet security and compliance requirements.

　　What is the difference between Azure Policy and Azure RBAC (Role Based Access Control)?

　　Azure RBAC limits user permissions, such as which users can set which permissions for resource groups.

　　For example, if we have one account, we can set Owner, Contributor, and Reader permissions for the resource group.

　　Simply put, RBAC sets what users have and what permissions they have, such as add, delete, modify, check, etc.

　　Azure Policy sets the compliance of Azure resources. In Azure Policy, many default policies are provided, such as:

　　(1) Only allow users to create resources in certain data centers

　　(2) Only allow the creation of PaaS services for SQL Server version 12

　　(3) Only allow users to create certain virtual machine types

　　(4) When creating resources, you must set the resource group to add a tag.

　　(5) Users are not allowed to create other types of resources

　　Azure Policy is effective in the following areas:

　　(1) Azure Policy can be set at the entire subscription level. That is, all resource groups under the subscription must comply with the policy requirements.

　　(2) Azure Policy can be set within a resource group. That is, only this resource group must comply with the policy requirements.

　　(3) We can also set Azure Policy exclusions to exclude certain resources.

　　For example, we have a production resource group (Production-RG) and a test resource group (Test-RG) under one subscription.

　　When we set the policy for virtual machine backup, it is effective for the production resource group (Production-RG), but not for the test resource group (Test-RG)

　　Custom Policy

　　Although Azure provides a default policy by default, we can also create a custom policy to meet the company's security and compliance requirements.